commit 619e9e4239e1dc362fe5426c8970a9a120c4627e
author Sachin Bhayare <sachin.bhayare@codeaurora.org> Mon May 15 13:10:31 2017 +0530
committer Gerrit - the friendly Code Review server <code-review@localhost> Thu May 25 14:40:37 2017 -0700
tree eba40040aada64ec0d5c77ed7cd7b4b3b9fa62e3
parent 3712fcaa98a7a4eb29301b872b38b7a2acbb955a

app: aboot: check splash buffer size for overflow

Check splash buffer size for overflow before loading splash image
from emmc or flash.

Change-Id: Iff3e5ff8ba0033340f61b262d6a53adb11add7ce

app/aboot/aboot.c

diff --git a/app/aboot/aboot.c b/app/aboot/aboot.c
index be347ce..dce379e 100755
--- a/app/aboot/aboot.c
+++ b/app/aboot/aboot.c
@@ -3671,6 +3671,17 @@
 		}
 
 		uint8_t *base = (uint8_t *) fb_display->base;
+		uint32_t fb_size = ROUNDUP(fb_display->width *
+					fb_display->height *
+					(fb_display->bpp / 8), 4096);
+		uint32_t splash_size = ((((header->width * header->height *
+					fb_display->bpp/8) + 511) >> 9) << 9);
+
+		if (splash_size > fb_size) {
+			dprintf(CRITICAL, "ERROR: Splash image size invalid\n");
+			return -1;
+		}
+
 		if (flash_read(ptn + LOGO_IMG_HEADER_SIZE, 0,
 			(uint32_t *)base,
 			((((header->width * header->height * fb_display->bpp/8) + 511) >> 9) << 9))) {
@@ -3744,6 +3755,15 @@
 						|| (header->height != fb_display->height))
 				fbcon_clear();
 
+			uint32_t fb_size = ROUNDUP(fb_display->width *
+					fb_display->height *
+					(fb_display->bpp / 8), 4096);
+
+			if (readsize > fb_size) {
+				dprintf(CRITICAL, "ERROR: Splash image size invalid\n");
+				return -1;
+			}
+
 			if (mmc_read(ptn + blocksize, (uint32_t *)(base + blocksize), readsize)) {
 				dprintf(CRITICAL, "ERROR: Cannot read splash image from partition\n");
 				return -1;